Written by
How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD
- ISBN13: 9780321369444
- Condition: New
- Notes: BRAND NEW FROM PUBLISHER! BUY WITH CONFIDENCE, Over one million books sold! 98% Positive feedback. Compare our books, prices and service to the competition. 100% Satisfaction Guaranteed
Since its early days as an information exchange tool limited to academe, researchers, and the military, the web has grown into a commerce engine that is now omnipresent in all facets of our lifes. More websites are created daily and more applications are developed to allow users to learn, research, and purchase online. As a result, web development is often rushed, which increases the risk of attacks from hackers. Furthermore, the need for secure applications has to be balanced with the need for usability, performance, and reliability. In this book, Whittaker and Andrews demonstrate how rigorous web testing can help prevent and prepare for such attacks. They point out that methodical testing must include identifying threats and attack vectors to establish and then implement the appropriate testing techniques, manual or automated.
Rating: 
(out of 12 reviews)
List Price: $ 49.99
Price: {price-updating}
Review by Jim Anderton for How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD
Rating:
I recently finished reading How to Break Web Software: Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker. I, like many of you, develop web software for a living. I’ve always taken security seriously and occasionally sneered when I ran across examples of common mistakes. Having said that, this book was an eye opener for me.
The book covers common exploits such as bypassing input validation, SQL injection, and denial of service. There were also several types of attacks I hadn’t really considered before. I won’t list them here because someone would undoubtedly say, “I can’t believe he didn’t know about that one!” The authors cover 24 different types of attacks in all. The book also includes coverage of web privacy issues and security related to web services.
Finally, as icing on the cake, a CD is included that contains many tools that will find permanent spots in your arsenal. There are tools to do things like scan web servers for common exploits, mirror sites for local analysis, and check SSL cipher strengths. My favorites are the local proxies that will allow you to view and modify posts as they travel from the client and the server. I always knew I could do this, but didn’t know how easy it is. The CD also contains the source code of an example site that includes many flaws for you to practice.
This book is written for software professionals to help them put the hackers out of business. So, it necessarily includes hacker techniques. If you develop or test web software, you should read this book before the hackers do.
Review by Charles Hornat – http://www.infosecwriters.com for How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD
Rating:
This is a hard topic to find good reading. Most books are usually targeted towards operating systems or malware specifically. However, from the first page, I knew this was something worthwhile. A key part to this book being so good is the format Mike and James use to present each topic thus providing something for attackers and security folks. It also could provide pen testers and auditors some good ammo to use as well.
The layout of the chapters starts with gathering information on targets. Then takes a step towards client side attacks, server side attacks, Language based attacks, Authentication, Privacy, and Web Services. They even throw in a chapter outlining the last 50 years or so of web software defects. Surprisingly, or not so surprisingly, we have not always learned from our mistakes.
The best part of the book however, is not the topic as much as it is the layout they use to demonstrate every vulnerability. They start with a topic, Buffer Overflows as an example. The authors describe what it is in a few paragraphs, then discuss when to apply this type of attack, then proceed in How to conduct this attack, and end with How to protect oneself from this attack. Each section is no more than a few paragraphs, ensuring that you do not loose focus on what’s being discussed.
The authors also do a great job discussing the tools that one can use to test or perform each attack. Tools such as Nikto, Wikto, Paros and SSL Digger are discussed. When additional information is needed, they provide screenshots and output for one to learn from.
This book is a must for anyone in the role of Web Security, Auditing, or pen testing.
Pros
Good Tools, Excellent format, Easy to read
Cons
Perhaps more references for more information since the authors do not go into great detail; Advanced web security people may find it a bit elementary
Review by Groovymarlin for How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD
Rating:
I was disappointed in this book. The actual content was pretty thin, and not very well written. Chapter 1 is a complete waste of time, and actually spends pages explaining what client/server means, what the Web is, and other things that are patently obvious to the supposed audience for this material. I found myself turning to the front to see if this book was written in 1997! You then get nine fairly short chapters with instructions on how to hack a website, more or less; followed by 50 pages of useless padding in the appendices including: an unrelated article co-authored by Whittaker for the IEEE, a detailed list of all the bugs present in their “sample application,” and then descriptions of their recommended tools, all of which can easily be found on the Web without paying $22 for this book.
As another reviewer mentioned, there are many typos and other problems like incorrect illustrations, making the reader wonder if Addison-Wesley even employs a copy editor. Furthermore, I felt this book was inaccurately named and described. It’s really more about rudimentary hacking and protecting your web application against hackers than web quality or web testing. A beginning web developer might do well to read this as a primer on how to create sites and applications with basic security, but as an experienced tester it was of limited use to me.
Review by Christos Partsenidis for How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD
Rating:
This is a focussed book with a single aim; to help you find and correct common vulnerabilities in web-based applications and website software.
Above all, this is a book to be used. The authors take a practical approach to each area of consideration, and the chapters are well structured to make it easy for you to get right to work.
For each area they provide an informative overview followed by discussion of the vulnerabilities including numerous code snippets, examples and screen shots. Though rich in detail the writing style keeps you engaged and the sensible structure (when to apply the attack, how to perform it and how to protect against it) makes it easy to grasp the key points.
There is no bias towards either Windows or Unix products on either the client or the server, and you won’t need to be a scripting expert to put the authors’ ideas into practice.
Chapter 1 explains the difference between web-based and traditional client-server systems and why a different approach is needed when testing. Subsequent chapters cover the vulnerabilities:
Gathering Information on the Target
Bypassing Client-Side Validation
State-Based Attacks
Including Hidden Fields, Cookie poisoning and Session Hijacking
Data Attacks
Including Cross-Site Scripting, SQL Injection and Directory Traversal
Language-Based Attacks
Including Buffer Overflows
Server Attacks
Including Stored Procedures, SQL Injection, Server Fingerprinting and Denial of Service
Authentication
Including Weak Cryptography and Cross-Site Tracing
Privacy
Including Caching, Cookies, Web Bugs, ActiveX Controls and Browser Help Objects
Web Services
Including WSDL and XML attacks
The book comes with an excellent companion CD containing a number of testing tools and a flawed website on which you can use the techniques you have learned to cement your knowledge. Both the tools and the vulnerabilities in the sample site are fully documented in two useful appendices.
All in all, a rich and well-focussed yet accessible introduction to a wide-ranging subject. If the security of web-based applications is your area, make room for this on your bookshelf.
Review by Stephen Northcutt for How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD
Rating:
You can’t really read a book like this. You read a few pages and prop the book up with a cookbook holder and start typing in the examples. There were a couple I could not duplicate, but almost everything worked as the authors said it would. Great book, or maybe it would be better to say, great tool!
The fun starts with chapter 2 and these folks do not spend a lot of time on reconnaisance. They know how to break web software and we start on that by chapter 3. I was a little sad in chapter 5, they did not really do SQL injection justice, but then they hit it again with stored procedures in chapter 7.
If there is a weakness to the book it might be chapter 9 and 10, the ending, but I still found both chapters informative.
Every large organization I know is building web applications and most of them are doing it badly. If you are a coder, a webmaster, or a manager of any of the above, buy a copy of this book for everyone on your team. I am going to do the same for my team right now.